Risk Assessment Matrix — Tender Management System
| Field |
Value |
| Document ID |
ISMS-002 |
| Version |
1.0 |
| Status |
Initial assessment |
| Owner |
Information Security Officer (ISO) |
| Last Updated |
2026-06-11 |
| Review Cycle |
Quarterly (minimum) |
1. Purpose
This document records the initial information security risk assessment for the Tender Management System ISMS. It identifies threats, evaluates inherent and residual risk, and defines treatment plans aligned with ISO/IEC 27001 Clause 6.1.2 and Annex A controls.
Related: ISMS Foundation | ISO 27001 Roadmap
2. Methodology
2.1 Risk Formula
2.2 Likelihood Scale
| Score |
Label |
Description |
| 1 |
Rare |
Unlikely in 3+ years |
| 2 |
Unlikely |
Possible but not expected annually |
| 3 |
Possible |
May occur once per year |
| 4 |
Likely |
Expected several times per year |
| 5 |
Almost certain |
Expected frequently or already observed |
2.3 Impact Scale
| Score |
Label |
Description |
| 1 |
Negligible |
No data exposure; minimal downtime (<1 h) |
| 2 |
Minor |
Limited internal data; downtime 1–4 h |
| 3 |
Moderate |
PII exposure for subset of users; downtime 4–24 h |
| 4 |
Major |
Large-scale PII breach; regulatory notification; downtime 1–3 days |
| 5 |
Critical |
Systemic breach; legal liability; prolonged outage (>3 days) |
2.4 Risk Level Matrix
| Score Range |
Level |
Action Required |
| 1–4 |
Low |
Monitor; accept with documented justification |
| 5–9 |
Medium |
Mitigate within 6 months |
| 10–15 |
High |
Mitigate within 3 months; management awareness |
| 16–25 |
Critical |
Immediate treatment; executive escalation |
2.5 Treatment Options
- Mitigate — Apply controls to reduce likelihood or impact
- Transfer — Insurance or contractual liability shift
- Avoid — Discontinue the activity
- Accept — Documented acceptance by authorized role (residual risk only)
3. Risk Register
3.1 Authentication & Access
| Risk ID |
Threat |
Vulnerability |
Asset(s) |
L |
I |
Inherent |
Existing Controls |
Residual L |
Residual I |
Residual |
Treatment |
Owner |
Target Date |
Status |
| R-001 |
Credential stuffing / brute force |
Login endpoints without sufficient throttling |
A-004, A-006, A-007 |
4 |
4 |
16 Critical |
JWT auth, hCaptcha on selected flows, rate limit config |
3 |
3 |
9 Medium |
Enforce rate limiting on all auth endpoints; account lockout; MFA for admin |
Engineering |
Q3 2026 |
Open |
| R-002 |
JWT token theft (XSS, MITM) |
Tokens in client storage |
A-008 |
3 |
4 |
12 High |
HTTPS required in prod; short token TTL; refresh rotation partial |
2 |
3 |
6 Medium |
Complete refresh token rotation; HttpOnly cookies where applicable; CSP headers |
Engineering |
Q3 2026 |
Open |
| R-003 |
Privilege escalation |
Insufficient RBAC checks on admin routes |
A-006, A-014 |
2 |
5 |
10 High |
Role middleware in pkg/authorization |
2 |
4 |
8 Medium |
RBAC audit of all admin endpoints; automated authorization tests |
Engineering |
Q2 2026 |
Open |
| R-004 |
Orphaned / excessive access |
No formal access review process |
A-006, A-010 |
3 |
3 |
9 Medium |
Manual provisioning |
2 |
2 |
4 Low |
Quarterly access review procedure; offboarding checklist |
ISO |
Q3 2026 |
Open |
3.2 Data Protection & Privacy
| Risk ID |
Threat |
Vulnerability |
Asset(s) |
L |
I |
Inherent |
Existing Controls |
Residual L |
Residual I |
Residual |
Treatment |
Owner |
Target Date |
Status |
| R-005 |
Unauthorized PII access |
Missing encryption at rest |
A-001, A-004, A-005 |
3 |
5 |
15 High |
Network isolation; app-level auth |
2 |
4 |
8 Medium |
Enable MongoDB encryption at rest; field-level encryption for sensitive fields |
DevOps |
Q3 2026 |
Open |
| R-006 |
Data breach via backup exposure |
Unencrypted or overly permissive backups |
A-019 |
2 |
5 |
10 High |
Ad-hoc backups |
2 |
3 |
6 Medium |
Encrypted backups; restricted access; backup retention policy |
DevOps |
Q3 2026 |
Open |
| R-007 |
GDPR non-compliance (DSR) |
No documented data subject request process |
A-004, A-005 |
3 |
4 |
12 High |
— |
3 |
3 |
9 Medium |
DSR procedure; data inventory mapping; deletion API/workflow |
DPO |
Q4 2026 |
Open |
| R-008 |
Sensitive data in logs |
Accidental logging of passwords/tokens |
A-011 |
3 |
4 |
12 High |
Coding standards prohibit password logging |
2 |
3 |
6 Medium |
Log scrubbing; automated secret detection in CI |
Engineering |
Q2 2026 |
Open |
3.3 Application Security
| Risk ID |
Threat |
Vulnerability |
Asset(s) |
L |
I |
Inherent |
Existing Controls |
Residual L |
Residual I |
Residual |
Treatment |
Owner |
Target Date |
Status |
| R-009 |
Injection attacks (NoSQL, XSS) |
Unvalidated user input |
A-014 |
3 |
4 |
12 High |
Govalidator; Bluemonday XSS policy |
2 |
3 |
6 Medium |
SAST/DAST in CI; security test cases for injection |
Engineering |
Q2 2026 |
Open |
| R-010 |
Dependency vulnerability exploit |
Outdated Go modules |
A-009 |
4 |
4 |
16 Critical |
go.mod pinned versions |
3 |
3 |
9 Medium |
Dependabot/Renovate; monthly dependency review; govulncheck in CI |
Engineering |
Q2 2026 |
Open |
| R-011 |
Insecure file upload |
Malicious document upload |
A-003, A-005 |
2 |
4 |
8 Medium |
File store service; GridFS/MinIO |
2 |
3 |
6 Medium |
MIME validation; size limits; malware scanning |
Engineering |
Q4 2026 |
Open |
| R-012 |
API abuse / DoS |
High-volume unauthenticated requests |
A-014 |
4 |
3 |
12 High |
Rate limit config exists |
2 |
2 |
4 Low |
Enable rate limiting in production; WAF/CDN |
DevOps |
Q2 2026 |
Open |
3.4 Infrastructure & Operations
| Risk ID |
Threat |
Vulnerability |
Asset(s) |
L |
I |
Inherent |
Existing Controls |
Residual L |
Residual I |
Residual |
Treatment |
Owner |
Target Date |
Status |
| R-013 |
Secret leakage |
Secrets in repo, logs, or .env files |
A-010, A-018 |
3 |
5 |
15 High |
.gitignore; env priority system |
2 |
4 |
8 Medium |
Secret manager (Vault/AWS SM); secret scanning in CI; rotate FCM keys out of repo |
DevOps |
Q2 2026 |
Open |
| R-014 |
Service outage (MongoDB/Redis/MinIO) |
Single points of failure |
A-001, A-002, A-003 |
3 |
4 |
12 High |
Managed services assumed |
2 |
3 |
6 Medium |
HA deployment; DR plan; RTO/RPO definitions |
DevOps |
Q4 2026 |
Open |
| R-015 |
Insufficient monitoring |
Delayed incident detection |
A-011, A-012 |
4 |
4 |
16 Critical |
Application logging only |
3 |
3 |
9 Medium |
SIEM integration; alerting on auth failures, error spikes |
DevOps |
Q3 2026 |
Open |
| R-016 |
Unpatched OS/container images |
Delayed security patching |
A-014, A-015 |
3 |
4 |
12 High |
— |
2 |
3 |
6 Medium |
Patch management procedure; automated image scanning |
DevOps |
Q3 2026 |
Open |
3.5 Third-Party & Supply Chain
| Risk ID |
Threat |
Vulnerability |
Asset(s) |
L |
I |
Inherent |
Existing Controls |
Residual L |
Residual I |
Residual |
Treatment |
Owner |
Target Date |
Status |
| R-017 |
AI service data leakage |
Tender text sent to external AI |
A-017, A-013 |
3 |
4 |
12 High |
Configurable AI endpoint |
2 |
3 |
6 Medium |
DPA with AI vendor; data minimization; on-prem option evaluation |
DPO / DevOps |
Q4 2026 |
Open |
| R-018 |
Notification service compromise |
Email content interception |
A-016 |
2 |
3 |
6 Medium |
TLS to notification API |
2 |
2 |
4 Low |
Vendor security questionnaire; TLS enforcement |
ISO |
Q4 2026 |
Open |
| R-019 |
Compromised TED source data |
Malicious XML in scraper pipeline |
A-013, A-015 |
2 |
3 |
6 Medium |
XML parser validation |
2 |
2 |
4 Low |
Schema validation; sandboxed parsing; input size limits |
Engineering |
Q3 2026 |
Open |
3.6 Human & Process
| Risk ID |
Threat |
Vulnerability |
Asset(s) |
L |
I |
Inherent |
Existing Controls |
Residual L |
Residual I |
Residual |
Treatment |
Owner |
Target Date |
Status |
| R-020 |
Insider threat |
Broad production DB access |
A-001, A-004 |
2 |
5 |
10 High |
— |
2 |
4 |
8 Medium |
Least privilege; break-glass access; audit DB queries |
DevOps |
Q3 2026 |
Open |
| R-021 |
Phishing / social engineering |
Staff credential compromise |
A-006, A-010 |
3 |
4 |
12 High |
— |
2 |
3 |
6 Medium |
Security awareness training; MFA for admin and infra |
ISO |
Q3 2026 |
Open |
| R-022 |
Undocumented change deployment |
No formal change management |
A-009, A-014 |
3 |
3 |
9 Medium |
Git + PR workflow informal |
2 |
2 |
4 Low |
Change management procedure; prod deployment approval |
Engineering |
Q3 2026 |
Open |
| R-023 |
Delayed incident response |
No IR plan or runbooks |
All |
3 |
5 |
15 High |
— |
2 |
4 |
8 Medium |
Incident response plan; tabletop exercise |
ISO |
Q2 2026 |
Open |
4. Risk Summary Dashboard
| Risk Level |
Count |
Risk IDs |
| Critical (16–25) |
0 (after treatment planning) |
R-001, R-010, R-015 were Critical inherent — all have mitigation plans |
| High (10–15) |
8 residual |
R-003, R-005, R-007, R-009, R-013, R-014, R-020, R-023 |
| Medium (5–9) |
12 residual |
R-001, R-002, R-004, R-006, R-008, R-010, R-011, R-015, R-016, R-017, R-021, R-022 |
| Low (1–4) |
3 residual |
R-012, R-018, R-019 |
4.1 Top Priority Actions (Next 90 Days)
- R-023 — Draft and approve incident response plan
- R-013 — Remove secrets from repository; implement secret scanning
- R-010 — Add
govulncheck and dependency scanning to CI
- R-003 — Complete RBAC audit of admin API routes
- R-001 — Enforce authentication rate limiting in production
5. Risk Acceptance Log
Use this section to record risks explicitly accepted after treatment.
| Risk ID |
Residual Score |
Accepted By |
Role |
Date |
Justification |
Review Date |
| None yet |
|
|
|
|
|
|
6. Review History
| Version |
Date |
Reviewer |
Changes |
| 1.0 |
2026-06-11 |
Engineering |
Initial risk identification for TM platform |
Next scheduled review: 2026-09-11
7. Annex — Asset Reference
See ISMS Foundation §4 for full asset inventory (A-001 through A-020).